By: Rajesh Goel, Chief Technology Officer, Brainlink International Inc.

Raj Goel, CISSP
CTO Brainlink International, Inc.


Raj’s LinkedIn profile

This article appeared on CPN Online

Q: How effective are Internet security tools these days and what new tools or processes should I be using to protect electronic access to my business records and communications?

A: The first thing to note is that talking about Internet security by itself makes no sense. That’s akin to asking, “How do I protect my car in the garage?” without looking at the overall security of your house, neighborhood and locality.

When people talk about Internet security, what they really mean is,”How do I protect my sensitive information?” That is, information security.

Information security involves:
Determining what and where are your information assets– databases, paper files, online systems, emails, accounting systems, PDAs, laptops, etcetera;
Classifying the assets by value;
Determining who should and should not have access to that information;
Determining which regulations and standards apply to your business. At the federal level, Gramm-Leach Bliley, HIPAA and Sarbanes-Oxley provide written standards that organizations must meet, depending on the nature of their business or clientele. At the state level, 31 states have passed State Privacy Breach laws (California’s SB-1386 was the first, while New York and Massachusetts have the toughest). So if you have clients in any of those 31 states, complying with those laws is a must. At an industry level, two standards stand out: PCI-DSS for any company that accepts credit cards, regardless of industry, and the National Association of Realtors’ REALTOR Secure standard. PCI-DSS and REALTOR Secure are industry standards, and do not have the force of law behind them. However, complying with them can improve business practices, provide competitive advantages and even provide a safe-harbor defense in case of a breach.
Putting systems in place to enforce security, log unauthorized access, etcetera.

Thus, there is no simple answer to information security–each organization is different, as is how they conduct business and the culture of each firm will determine the choice of tools and success of the individual information security program.

In our experience, a good InfoSec program delivers the following benefits:

It requires the organization to become aware of existing laws and how they impacts the organization. E.G. Gramm-Leach-Bliley, for instance, expanded the definition of financial institutions to include real estate firms, auto dealerships and appraisers. So if you appraise property, hold funds in escrow or otherwise lend credit in the course of doing business, GLBA may consider you a financial institution and requires that you safeguard clients’ personal indentifiable information. Failure to secure PII can results in penalties including civil monetary fines of varying amounts as high as $1 million or more, prison sentences of as much as five years, lower examination ratings and increased reporting requirements, and enforcement actions, which can include board resolutions, memorandums of understanding, written agreements and cease and desist orders.

A good InfoSec assessment answers the following questions: – What business are we in?
– Where do our clients come from?
– Who are ARE our key clients?
– Which clients or lines of business should we get rid of, outsource or spin off?

Complying with the laws and standards helps your company stand out from its peers, reduces liabilities and damages in case of breaches and increases profitability.

In our experience, one of the things we uncover is the roadblocks and logjams that are interfering with productivity: for instance, if the way forms are handled or cases are approved or projects are delivered or goods are sold is too slow or too cumbersome or the process was built 10 or 20 years ago.

In many cases, we reduce transaction time, increase deal flow and/or reduce staff and labor costs by analyzing the information flows, diagramming the information-flow touch points and working with our clients to eliminate roadblocks.

When fixing the issues (“remediating the gaps” in InfoSec jargon), new technology and faster systems can be brought in that really show results at the bottom line.

I worked with a large retailer to complete a PCI compliance assessment, and shaving 1/100th of a second per transaction (multiplied by millions of transactions per month) led to a significant increase in profits.

For a health care chain, the result of the PCI compliance efforts was the adoption of a new electronic health record system that reduced errors, eliminated patients filling out the same medical intake questionnaire again and again, reduced keying and transcription costs and led to better health care. Reduced waiting times also allowed the chain to book more appointments.

For a commercial property management firm, we identified systems and services that were being hosted by third-party vendors that were bleeding the business. We moved these critical systems in house and saved the client a fortune. Moving them in house also led to lowered compliance and management costs.

So, what’s your information security policy? What business practices and roadblocks have you been tolerating that, when removed, could increase your profits by 10 to 30 percent?